Report Spotlights HealthCare.gov Security Weaknesses

The Centers for Medicare and Medicaid Services reported more than 300 security incidents involving Obamacare's HealthCare.gov website over an 18-month period, according to a new Government Accountability Office report. But the study notes: "None of the incidents included evidence that an outside attacker had successfully compromised sensitive data, such as personally identifiable information."

The report, which recommends numerous security and privacy control enhancements for the federal health insurance marketplace, says that between October 2013 and March 2015, CMS reported 316 security-related incidents affecting the Obamacare Web portal and its supporting systems. CMS is the unit of the Department of Health and Human Services responsible for overseeing HealthCare.gov.

"The majority of these incidents involved such things as electronic probing of CMS systems by potential attackers, which did not lead to compromise of any systems, or the physical or electronic mailing of sensitive information to an incorrect recipient," the report notes.

Only one incident, the GAO reports, "involved a confirmed instance of an attacker gaining access to a HealthCare.gov-related server. In that incident, the attacker installed malware on a test server that held no PII." (See: HealthCare.gov Hack: How Serious?).

Reacting to the report, eight GOP Senate and House committee chairmen sent a letter on March 23 to HHS Secretary Sylvia Mathews Burwell and CMS Acting Administrator Andy Slavitt seeking more details about each of the 316 HealthCare.gov security incidents reported by CMS.

Dan Berger, CEO of security consulting firm Redspin, says it's not surprising that there have been multiple attempts to break into HealthCare.gov "given this is a website with a large 'bullseye' painted on it. In addition to the amount of [personal information] it stores and processes, many hackers are motivated by the infamy that would result from hacking HealthCare.gov."

This is not the first time that a government watchdog agency has spotlighted HealthCare.gov security weaknesses. Previous reports by the GAO and HHS Office of Inspector General in 2014 and 2015 have also noted a variety of security shortcomings.

HealthCare.gov Security Shortcomings

In its latest report, the GAO says CMS has taken steps to protect the security and privacy of data processed and maintained by the systems and connections supporting Healthcare.gov, including the Federal Data Services Hub, which is a portal for exchanging information between the federal marketplace and other federal agencies.

But the GAO says it identified weaknesses in technical controls protecting the data flowing through the data hub. These included:

Require continuous monitoring of the privacy and security controls of state-based marketplaces and the environments in which those systems operate to more quickly identify and remediate vulnerabilities;

Develop and document procedures for reviewing the State Based Marketplace Annual Reporting Tool, or SMART, including specific follow-up timelines and identifying corrective actions to be performed if deficiencies are identified. SMART is intended to collect information to be used as the basis for evaluating a state-based Obamacare marketplace's compliance with regulations and CMS standards.

In a separate report with limited distribution, the GAO says its recommended 27 actions to mitigate the various identified security and privacy weaknesses.

Also, the GAO notes that it separately "identified significant weaknesses in the controls at three selected state-based marketplaces" that were reported to the three states in September 2015. These included insufficient encryption and inadequately configured firewalls, among others. The GAO says the three states "generally agreed [to the agency's recommendations] and have plans in place to address the weaknesses."

HHS concurred with all of the GAO's recommendations, the report notes. "Further, it also provided information regarding specific actions the agency has taken or plans on taking to address these recommendations," the GAO states. "We also received technical comments from HHS, which have been incorporated into the final report as appropriate."

Common Problems

The HealthCare.gov security weaknesses the GAO identified are common problems faced by many private sector organizations, says Mac McMillan, CEO of security consulting firm CynergisTek. And if not addressed, these flaws can put data at risk, he contends.

"These are absolutely consistent with the challenges that other healthcare entities are dealing with, and more importantly creating a high percentage of our risk today," he says. "Studies by several organizations showed that many of the attacks last year took advantage of missing patches, for instance, for vulnerabilities that were well known."

McMillan says the 316 security incidents, which included attempted hacker attacks, highlight the urgency for the assorted weaknesses to be addressed.

"Given that this number represents the incidents that CMS reported officially, likely not the total number of events they experienced, it is significant and demonstrates a concerted interest in these sites by potential cybercriminals," he says. "Most concerning to me is the lack of active oversight and the periodicity of testing. In this environment, testing is a must to identify the very kinds of problems that they discovered - lack of patching, configuration errors - to resolve them before they can be exploited."

Lack of Oversight?

Jay Trinckes, senior practice lead at the security consulting firm Coalfire, says that of the weaknesses identified, the most concerning is the lack of oversight CMS has for the state-based insurance marketplaces. "In the report, GAO indicated that three of these marketplaces were identified with 'significant weaknesses that placed the data they contained at risk of compromise.' As more health information is digitized, it is more important than ever that these systems are maintained in a secure manner," he says.

It is important that Healthcare.gov "stays vigilant in its monitoring efforts and ensure they maintain a multitude of layers of defenses. Ensuring that they are capable of responding to security incidences immediately and mitigate identified issues will go a long way in keeping the site secure," he adds.

HHS did not immediately respond to Information Security Media Group's request for comment.

About the Author

Marianne Kolbasuk McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site, and played a lead role in the launch of InformationWeek's healthcare IT media site.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;